Integrating Security Roles into Microsoft Silverlight Applications

Integrating Security Roles into Microsoft Silverlight ApplicationsDEV356

Dan WahlinWahlin Consulting

Agenda

Silverlight Security OptionsAccessing User Identity InformationAccessing User RolesCreating a SecurityManager class

Silverlight Security Options

Silverlight Authentication:WindowsFormsCustom

Silverlight Authorization:Active Directory GroupsForms RolesCustom Roles

Windows Authentication Options

Option 1: Secure page hosting Silverlight controlEasiestUser promptedSilverlight app secured

Option 2: Secure backend servicesSilverlight application is anonymousCalls to service require credentialsClient HTTP stack can be used

Using the Client HTTP Stack

//Set once in App.xaml.csHttpWebRequest.RegisterPrefix("https://", WebRequestCreator.ClientHttp);

....

WebClient wc = new WebClient();wc.UseDefaultCredentials = false;wc.Credentials = new NetworkCredential("username", "password", "domain");

Agenda

Securing Silverlight ApplicationsAccessing User Identity InformationAccessing User RolesCreating a SecurityManager class

Accessing a User's Credentials

Silverlight does not support accessing the User object directly

User.Identity.Name

Options for accessing the user name:initParams (be careful!)Use a serviceWCF RIA Services

Passing the User Name with initParams

User Name can be passed dynamically into Silverlight using initParams

Be Careful!

Using initParams

<param name="initParams" value="UserName=<%=User.Identity.Name%>" />

…private void Application_Startup(object sender, StartupEventArgs

e) { ProcessInitParams(e.InitParams); this.RootVisual = new MainPage();}

void ProcessInitParams(IDictionary<string, string> initParams) { if (initParams != null) { foreach (var item in initParams) { this.Resources.Add(item.Key, item.Value); } }}

Creating a User Credentials Service

Create a User Credentials WCF/ASMX service:Service handles returning authenticated user's informationNo risk of a spoofed User Name as with initParamsService can return additional information such as rolesWCF RIA Services does this out-of-the-box

Returning a User Name from a Service

[OperationContract]public string GetLoggedInUserName() { return new SecurityRepository()

.GetUserName(OperationContext.Current);}

public class SecurityRepository {

public string GetUserName(OperationContext opContext) { return (opContext.ServiceSecurityContext != null && opContext.ServiceSecurityContext.WindowsIdentity !=

null) ? opContext.ServiceSecurityContext.WindowsIdentity.Name : null;

}

}

demo

Accessing an Authenticated User's User Name

Agenda


Accessing User Roles

Options:Pass user roles into application using initParamsCreate a security service operation that returns roles

Be Careful!

Returning Roles from a Service

[OperationContract]public List<Role> GetRoles(){ return new

SecurityRepository().GetRoles(OperationContext.Current);}

public class SecurityRepository { public List<Role> GetRoles(OperationContext opContext) { var userName = GetUserName(opContext); //Get roles from Active Directory, Database, or elsewhere }}

demo

Accessing User Roles

Agenda


How do you access and manage user names and roles in a Silverlight application?

Creating a SecurityManager Class

SecurityManager class can act as client-side gateway to user credentials:

Accesses user credentials asynchronouslyDetermine user role(s)Determine access to viewMVVM compliantAdd to ViewModel base class through aggregation

The SecurityManager Class[Export(typeof(ISecurityManager))][PartCreationPolicy(CreationPolicy.Shared)]public class SecurityManager : ISecurityManager { public event EventHandler UserSecurityLoaded; public bool IsUserSecurityLoadComplete { get; set; } public ObservableCollection<Role> UserRoles { get; set; } public string UserName { get; set; } public bool IsAdmin { get; } public bool IsInUserRole { get; } public bool IsValidUser { get; } private void GetUserSecurityDetails() {} public bool CheckUserAccessToUri(Uri uri) {} public bool UserIsInRole(string role) {} public bool UserIsInAnyRole(params string[] roles) {}}

Using the SecurityManager Classpublic class ViewModelBase: INotifyPropertyChanged {

[Import] public ISecurityManager SecurityManager { get; set; }}

public class MainPageViewModel : ViewModelBase { public MainPageViewModel() { if (!IsDesignTime) SecurityManager.UserSecurityLoaded +=

SecurityManagerUserSecurityLoaded; } void SecurityManagerUserSecurityLoaded(object sender,

EventArgs e) { IsAdmin = SecurityManager.IsAdmin; //Set INPC property UserName = SecurityManager.UserName; //Set INPC property }}

demo

Creating and using a SecurityManager Class

SummarySilverlight doesn’t provide direct access to user credentialsDifferent techniques can be used to access a user name and roles:

Pass into initParams (be careful!)Access data through a security serviceUse WCF RIA Service's WebContext class

The SecurityManager class can simplify the process of working with user credentials

Handles async calls to security service Stores user credentials and provides security logicIntegrates well with MVVM

Contact Info

Bloghttp://weblogs.asp.net/dwahlin

Twitter@DanWahlin

Bloghttp://weblogs.asp.net/dwahlin

Twitter@DanWahlin

Related Content

DEV209: From Zero to Silverlight in 75 Minutes

DEV210: Microsoft Silverlight, WCF RIA Services and Your Business Objects

DEV331: A Lap around Microsoft Silverlight 5

DEV386HOL: Microsoft Silverlight Data Binding

DEV388HOL: Web Services and Microsoft Silverlight

DEV390HOL: Using the MVVM Pattern in Microsoft Silverlight Applications

Track Resources

Resource 1

Resource 2

Resource 3

Resource 4

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

http://www.microsoft.com/teched

http://www.microsoft.com/learning

http://microsoft.com/technet

http://microsoft.com/msdn

http://northamerica.msteched.com/

Complete an evaluation on CommNet and enter to win!

MS Tag Placeholder Slide

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

Technology

Integrating Security Roles into Microsoft Silverlight Applications